On September 12, the Federal Trade Commission announced that it is seeking comment on its rule regarding the Disposal of Consumer Report Information and Records. Under the Disposal Rule, a person is required to properly dispose of consumer information by taking reasonable measures to protect against unauthorized access or use of the information in connection with its disposal. Aside from the general issues, which are very similar to the general issues raised by the FTC in its request for comment on the Safeguards Rule last month, there are two noteworthy concepts present in the specific questions contemplated by the FTC.
The first notable question relates to the definition of consumer information. Under the Disposal Rule, consumer information is any identifying record, regardless of format, about an individual that is, or is derived from, a consumer report as defined under the Fair Credit Reporting Act. Consumer information includes any compilation of consumer report information. The definition of consumer information, however, expressly excludes information that is non-identifying, aggregate, or blind data. The FTC has asked whether the definition of consumer information should be amended to include information that can be reasonably linked to an individual in light of changes in relevant technology and market practices (such as retrospective analysis of a loan portfolio using anonymized consumer data to detect fraud). This concept was also brought up by the FTC in their 40 Years of Experience with the Fair Credit Reporting Act report which suggests that if anonymized information can “reasonably be linked” to an individual consumer, the information may constitute a consumer report.
The second issue is the notion of abandoning the Disposal Rule’s flexible nature, requiring reasonable measures to be taken to protect the confidentiality of consumer information during the destruction process, for a more prescriptive set of requirements. The Disposal Rule currently includes several illustrative examples of what the FTC considers to be reasonable measures, including implementing (and monitoring compliance with) policies and procedures that require papers containing consumer information to be burned, pulverized, or shredded, and electronic media containing consumer information be destroyed or erased such that the information cannot be read or reconstructed; independently auditing any third party vendors engaged to dispose of consumer information to ensure compliance with the Disposal Rule; and incorporation of proper disposal requirements by financial institutions governed by the Gramm-Leach-Bliley Act in their written information security programs. The FTC would like to understand if any of these examples should be changed or additional examples added, and the impact of such changes.
Alternatively, the FTC would like to know if specific requirements, rather than just suggestions, should be included in the Disposal Rule. Likewise, the FTC has asked about whether the Disposal Rule should be amended to include other information destruction standards or frameworks, including whether a safe harbor should be considered for entities that comply with the destruction standards or frameworks. As mentioned in our earlier blog regarding the Safeguard’s Rule, it appears that the FTC will take into special consideration the impact the Disposal Rule has on businesses (especially small businesses) and consumers, and how any proposed changes might further affect such persons and entities.